Best practices in managing IT compliance

GDPR, NIS2, PCI-DSS (Payment Card Industry Data Security Standard), HIPAA (Health Insurance Portability and Accountability Act), NIST (Cybersecurity Framework, FIPS), SOC 2 (Service Organization Control): the volume and variety of IT compliance standards, laws, regulations and other directives in Europe and elsewhere can seem like an excessive, even overwhelming number of rules that some companies find difficult to manage.

But for Lucie Shen, managing consultant at Capgemini, this abundance of regulations reflects a reality on the field. « I don’t really feel like there is an excessive number of rules in IT compliance. Instead of looking at the number of regulations, we should remind ourselves that this regulatory arsenal meets real market trends and a proven need for regulation. In other words, we need to look at the number of regulations in light of the growing impact of cyberattacks and companies’ ever-increasing dependency on technology. »

In Shen’s opinion, the NIS2 directive has a valid reason for existing. By broadening the scope of NIS (from 19 to 35 business sectors) and targeting certain private companies (those with more than 50 employees and turnover in excess of €1 million), it accounts for market realities, with an ever-increasing number of threats and an ever-increasing probability that more organizations will be affected.

« DORA takes the same approach. The directive acknowledges the market’s shift from focusing on cybersecurity solely in terms of threat identification and protection to including resilience in the financial sector’s strategies. The market recognizes that more and more crises will occur and that companies need to reinforce their crisis management, restoration and reconstruction capabilities, » adds Lucie Shen.

Implement an effective intelligence system and capitalize on its potential

To successfully implement an IT compliance policy, it is best practice to set up an effective regulatory intelligence system. « This regulatory intelligence system should not be sporadic, but rather a long-term process. In the European Union, for example, there is a precise regulatory timetable with consultation mechanisms that allow companies to look ahead as far as possible and keep on top of upcoming legislation, » notes Lucie Shen.

Another recommendation is to capitalize on existing regulations. « Instead of starting from scratch every time a new directive or law comes out, it is better to map out all the articles and requirements already in force. For example, for DORA, we compared several existing standards and regulations, such as the NIS framework, ISO 27001 and a cybersecurity regulation from the European Banking Authority (EBA). This helped us to quickly spot new developments and focus on what really sets each regulation apart, » says Lucie Shen.

What is the ideal organization?

If we look at the ideal organization to implement, most large companies today have cross-functional departments dealing with IT compliance issues. But if we focus solely on cybersecurity and resilience, we can set up a slightly different organization. « At the very least, we would recommend sharing responsibility between a compliance team, a cybersecurity team and a risk team. This allows you to capitalize on other standards that compliance teams may not have in mind, since they are not mandatory, » says Lucie Shen.

Another factor to look out for is senior management’s full involvement in IT compliance projects. « Regulations are increasingly placing responsibility for cybersecurity at the highest corporate level. For Dora, for example, it’s spelled out in black and white that the executive team is responsible for approving the risk analysis review on an annual basis and authorizing the associated cyber-resilience strategy. Executives must be fully aware of these cybersecurity issues to make the right decisions, » says Lucie Shen.

Is special software a necessity?

There are many solutions on the market to help companies comply with IT regulations. Many executives and managers wonder whether they need such software.

« It all depends on the initial level of maturity and the ability to mobilize resources to monitor compliance. On the one hand, some companies track their IT compliance by creating a project for each regulation. They then manage the action plans to cover any non-compliances they may identify. For a company that manages its audit processes well, that may be enough. On the other hand, other companies may decide to invest in tools, usually for simplicity’s sake but also to stay in compliance over the long term, » says Lucie Shen.

Fortunately, IT compliance regulations are increasingly respecting the principle of proportionality. « Regulators, in their introductions and in the spirit of the legislation, now apply this principle almost systematically. This ensures that requirements can be pragmatically adapted to the size and systemic or non-systemic nature of companies, and offers flexibility to organizations, » says Lucie Shen.